def test_authenticated_dev_is_rejected(self, tenants_users_devices): dac = ApiClient(deviceadm.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) devauth = ApiClient(deviceauth.URL_DEVICES) tc = ApiClient(tenantadm.URL_INTERNAL) dc = ApiClient(deployments.URL_DEVICES) # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text dev = tenants_users_devices[0].devices[0] r = dac.with_auth(utoken).call( 'PUT', deviceadm.URL_AUTHSET_STATUS, deviceadm.req_status('accepted'), path_params={'id': get_authset_id(dev.pubkey, utoken)}) assert r.status_code == 200 # request auth body, sighdr = deviceauth.auth_req(device.id_data, device.pubkey, device.privkey, device.tenant_token) r = devauth.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # check device can access APIs r = dc.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={ 'device_type': 'foo', 'artifact_name': 'bar' }) assert r.status_code == 204 # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # check device is rejected r = dc.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={ 'device_type': 'foo', 'artifact_name': 'bar' }) assert r.status_code == 401
def test_accepted_dev_cant_authenticate(self, tenants_users_devices): dacd = ApiClient(deviceauth.URL_DEVICES) uc = ApiClient(useradm.URL_MGMT) tc = ApiClient(tenantadm.URL_INTERNAL) # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text aset = device.authsets[0] change_authset_status(aset.did, aset.id, 'accepted', utoken) # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # try requesting auth body, sighdr = deviceauth.auth_req( aset.id_data, aset.pubkey, aset.privkey, tenants_users_devices[0].tenant_token) r = dacd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 assert r.json()['error'] == 'Account suspended'
def do_test_delete_device_ok(self, devs_authsets, user, tenant_token=''): devapim = ApiClient(deviceauth_v2.URL_MGMT) devapid = ApiClient(deviceauth_v1.URL_DEVICES) userapi = ApiClient(useradm.URL_MGMT) depapi = ApiClient(deployments.URL_DEVICES) # log in user r = userapi.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # decommission a pending device dev_pending = filter_and_page_devs(devs_authsets, status='pending')[0] r = devapim.with_auth(utoken).call('DELETE', deviceauth_v2.URL_DEVICE, path_params={'id': dev_pending.id}) assert r.status_code == 204 # only verify the device is gone r = devapim.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICE, path_params={'id': dev_pending.id}) assert r.status_code == 404 # log in an accepted device dev_acc = filter_and_page_devs(devs_authsets, status='accepted')[0] body, sighdr = deviceauth_v1.auth_req(dev_acc.id_data, dev_acc.authsets[0].pubkey, dev_acc.authsets[0].privkey, tenant_token) r = devapid.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # decommission the accepted device r = devapim.with_auth(utoken).call('DELETE', deviceauth_v2.URL_DEVICE, path_params={'id': dev_acc.id}) assert r.status_code == 204 # verify the device lost access r = depapi.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 401 # verify the device is gone r = devapim.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICE, path_params={'id': dev_acc.id}) assert r.status_code == 404
def create_authset(id_data, pubkey, privkey, utoken, tenant_token=''): api = ApiClient(deviceauth_v1.URL_DEVICES) body, sighdr = deviceauth_v1.auth_req(id_data, pubkey, privkey, tenant_token) # submit auth req r = api.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 # dev must exist and have *this* aset api_dev = get_device_by_id_data(id_data, utoken) assert api_dev is not None aset = [ a for a in api_dev['auth_sets'] if util.crypto.rsa_compare_keys(a['pubkey'], pubkey) ] assert len(aset) == 1 aset = aset[0] assert aset['identity_data'] == id_data assert aset['status'] == 'pending' return Authset(aset['id'], api_dev['id'], id_data, pubkey, privkey, 'pending')
def create_device(id_data, pubkey, privkey, tenant_token=''): """ Simply submit an auth request for a device; it will result in a 'pending' device/authset.""" api = ApiClient(deviceauth_v1.URL_DEVICES) body, sighdr = deviceauth_v1.auth_req(id_data, pubkey, privkey, tenant_token) # submit auth req r = api.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 return Device(id_data, pubkey, privkey, tenant_token)
def tenants_users_devices(tenants_users, mongo): devauthd = ApiClient(deviceauth.URL_DEVICES) devadmm = ApiClient(deviceadm.URL_MGMT) for t in tenants_users: for _ in range(2): priv, pub = deviceauth.get_keypair() mac = ":".join([ "{:02x}".format(random.randint(0x00, 0xFF), 'x') for i in range(6) ]) d = Device({'mac': mac}, pub, priv, t.tenant_token) body, sighdr = deviceauth.auth_req(d.id_data, d.pubkey, d.privkey, d.tenant_token) # submit auth req r = devauthd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 # get the authset id for future acceptance useradmm = ApiClient(useradm.URL_MGMT) r = useradmm.call('POST', useradm.URL_LOGIN, auth=(t.users[0].name, t.users[0].pwd)) assert r.status_code == 200 utoken = r.text r = devadmm.with_auth(utoken).call('GET', deviceadm.URL_AUTHSETS) assert r.status_code == 200 api_devs = r.json() api_dev = [ x for x in api_devs if compare_keys(x['key'], d.pubkey) ][0] d.authset_id = api_dev['id'] t.devices.append(d) yield tenants_users mongo_cleanup(mongo)
def test_accepted_dev_cant_authenticate(self, tenants_users_devices): dac = ApiClient(deviceadm.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) devauth = ApiClient(deviceauth.URL_DEVICES) tc = ApiClient(tenantadm.URL_INTERNAL) # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text dev = tenants_users_devices[0].devices[0] r = dac.with_auth(utoken).call( 'PUT', deviceadm.URL_AUTHSET_STATUS, deviceadm.req_status('accepted'), path_params={'id': get_authset_id(dev.pubkey, utoken)}) assert r.status_code == 200 # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # try requesting auth body, sighdr = deviceauth.auth_req(device.id_data, device.pubkey, device.privkey, device.tenant_token) r = devauth.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 assert r.json()['error'] == 'Account suspended'
def make_accepted_device(utoken, devauthd, tenant_token=''): dev = make_pending_device(utoken, tenant_token=tenant_token) aset_id = dev.authsets[0].id change_authset_status(dev.id, aset_id, 'accepted', utoken) aset = dev.authsets[0] aset.status = 'accepted' # obtain auth token body, sighdr = deviceauth_v1.auth_req(aset.id_data, aset.pubkey, aset.privkey, tenant_token) r = devauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dev.token = r.text dev.status = 'accepted' return dev
def do_test_put_status_reject(self, devs_authsets, user, tenant_token=''): devauthm = ApiClient(deviceauth_v2.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) useradmm = ApiClient(useradm.URL_MGMT) deploymentsd = ApiClient(deployments.URL_DEVICES) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text devs = [] for status in ['pending', 'accepted', 'preauthorized']: found = filter_and_page_devs(devs_authsets, status=status) devs.extend(found) for dev in devs: aset = None dtoken = None # for accepted or preauthd devs, reject the accepted/preauthd set # otherwise just select something if dev.status in ['accepted', 'preauthorized']: aset = [a for a in dev.authsets if a.status == dev.status] assert len(aset) == 1 aset = aset[0] else: aset = dev.authsets[0] # for accepted devs, also have an active device and check it loses api access if dev.status == 'accepted': body, sighdr = deviceauth_v1.auth_req(aset.id_data, aset.pubkey, aset.privkey, tenant_token) r = devauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # reject the authset change_authset_status(dev.id, aset.id, 'rejected', utoken) # the given authset always changes to 'rejected' aset.status='rejected' # if all other asets are also rejected, the device becomes too # otherwise it's 'pending' rej_asets = [a for a in dev.authsets if a.id != aset.id and a.status == 'rejected'] if len(rej_asets) == len(dev.authsets) - 1: dev.status = 'rejected' else: dev.status = 'pending' # check if the api device is consistent self.verify_dev_after_status_update(dev, utoken) # if we rejected an accepted, active device, check that it lost access if dtoken is not None: r = deploymentsd.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 401
def do_test_put_status_accept(self, devs_authsets, user, tenant_token=''): devauthm = ApiClient(deviceauth_v2.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) useradmm = ApiClient(useradm.URL_MGMT) deploymentsd = ApiClient(deployments.URL_DEVICES) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # select interesting devices - pending, rejected, or accepted/preauthd with extra authsets devs = [] for status in ['pending', 'rejected', 'accepted', 'preauthorized']: found = filter_and_page_devs(devs_authsets, status=status) if status == 'accepted' or status == 'preauthorized': found = [d for d in found if len(d.authsets) > 1] devs.extend(found) # test acceptance for various kinds of devs for dev in devs: # for accepted devs - first actually get a device token dtoken = None if dev.status == 'accepted': accepted = [a for a in dev.authsets if a.status == 'accepted'][0] body, sighdr = deviceauth_v1.auth_req(accepted.id_data, accepted.pubkey, accepted.privkey, tenant_token) r = devauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # find some pending or rejected authset aset = [a for a in dev.authsets if a.status == 'pending' or a.status == 'rejected'][0] # accept the authset change_authset_status(dev.id, aset.id, 'accepted', utoken) # in case of originally preauthd/accepted devs: the original authset must be rejected now if dev.status in ['accepted', 'preauthorized']: aset_to_reject = [a for a in dev.authsets if a.status == dev.status] assert len(aset_to_reject) == 1 aset_to_reject[0].status = 'rejected' # in all cases, device is now 'accepted', along with the just accepted authset dev.status = 'accepted' aset.status = 'accepted' # verify device is correct in the api self.verify_dev_after_status_update(dev, utoken) # if the device used to be accepted - check it lost access if dtoken is not None: r = deploymentsd.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 401 # device should also be provisioned in inventory time.sleep(1) self.verify_dev_provisioned(dev, utoken)
def test_limits_max_devices(self, tenants_devs_authsets): devauthi = ApiClient(deviceauth_v1.URL_INTERNAL) devauthm = ApiClient(deviceauth_v2.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) useradmm = ApiClient(useradm.URL_MGMT) for t in tenants_devs_authsets: # get num currently accepted devices num_acc = len(filter_and_page_devs(t.devices, status='accepted')) # set limit to that r = devauthi.call('PUT', deviceauth_v1.URL_LIMITS_MAX_DEVICES, {'limit': num_acc}, path_params={'tid': t.id}) assert r.status_code == 204 # get limit via internal api r = devauthi.call('GET', deviceauth_v1.URL_LIMITS_MAX_DEVICES, path_params={'tid': t.id}) assert r.status_code == 200 assert r.json()['limit'] == num_acc # get limit via mgmt api r = useradmm.call('POST', useradm.URL_LOGIN, auth=(t.users[0].name, t.users[0].pwd)) assert r.status_code == 200 utoken = r.text r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_LIMITS_MAX_DEVICES) assert r.status_code == 200 assert r.json()['limit'] == num_acc # try accept a device manually pending = filter_and_page_devs(t.devices, status='pending')[0] r = devauthm.with_auth(utoken).call('PUT', deviceauth_v2.URL_AUTHSET_STATUS, deviceauth_v2.req_status('accepted'), path_params={'did': pending.id, 'aid': pending.authsets[0].id }) assert r.status_code == 422 # try exceed the limit via preauth'd device preauthd = filter_and_page_devs(t.devices, status='preauthorized')[0] body, sighdr = deviceauth_v1.auth_req(preauthd.id_data, preauthd.authsets[0].pubkey, preauthd.authsets[0].privkey, t.tenant_token) r = devauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401
def do_test_ok(self, user, tenant_token=''): useradmm = ApiClient(useradm.URL_MGMT) devauthm = ApiClient(deviceauth_v2.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # preauth device priv, pub = util.crypto.rsa_get_keypair() id_data = {'mac': 'pretenditsamac'} body = deviceauth_v2.preauth_req( id_data, pub) r = devauthm.with_auth(utoken).call('POST', deviceauth_v2.URL_DEVICES, body) assert r.status_code == 201 # device appears in device list r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == 1 api_dev = api_devs[0] assert api_dev['status'] == 'preauthorized' assert api_dev['identity_data'] == id_data assert len(api_dev['auth_sets']) == 1 aset = api_dev['auth_sets'][0] assert aset['identity_data'] == id_data assert util.crypto.rsa_compare_keys(aset['pubkey'], pub) assert aset['status'] == 'preauthorized' # actual device can obtain auth token body, sighdr = deviceauth_v1.auth_req(id_data, pub, priv, tenant_token) r = devauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 # device and authset changed status to 'accepted' r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES, path_params={'id': api_dev['id']}) api_devs = r.json() assert len(api_devs) == 1 api_dev = api_devs[0] assert api_dev['status'] == 'accepted' assert len(api_dev['auth_sets']) == 1 aset = api_dev['auth_sets'][0] assert aset['status'] == 'accepted'
def do_test_delete_status(self, devs_authsets, user, tenant_token=''): devauthm = ApiClient(deviceauth_v2.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) useradmm = ApiClient(useradm.URL_MGMT) deploymentsd = ApiClient(deployments.URL_DEVICES) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text for dev in devs_authsets: aset = None dtoken = None # for accepted or preauthd devs, reject the accepted/preauthd set # otherwise just select something if dev.status in ['accepted', 'preauthorized']: aset = [a for a in dev.authsets if a.status == dev.status] assert len(aset) == 1 aset = aset[0] else: aset = dev.authsets[0] # for accepted devs, also have an active device and check it loses api access if dev.status == 'accepted': body, sighdr = deviceauth_v1.auth_req(aset.id_data, aset.pubkey, aset.privkey, tenant_token) r = devauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # delete authset r = devauthm.with_auth(utoken).call('DELETE', deviceauth_v2.URL_AUTHSET, path_params={'did': dev.id, 'aid': aset.id }) assert r.status_code == 204 # authset should be gone dev.authsets.remove(aset) # if it's the last authset of a preauth'd device - the device should be completely gone if dev.status == 'preauthorized' and len(dev.authsets) == 0: r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICE, path_params={'id': dev.id}) assert r.status_code == 404 return else: # in other cases the device remains dev.status = self.compute_dev_status(dev.authsets) # check api dev is consistent self.verify_dev_after_status_update(dev, utoken) # verify the device lost access, if we had one if dtoken is not None: r = deploymentsd.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 401